5f26ec6a89a14aedcee85883d41d5ca81a2ba2a7c99ec464abaa5bd63b6cbe1b

General

Target

MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Size

527KB
MD5

aa683fc072f3ae7d3746555ad0d2fa86
SHA1

6e3a1234cfc5658c9da297cba29d5869b7d48906
SHA256

5f26ec6a89a14aedcee85883d41d5ca81a2ba2a7c99ec464abaa5bd63b6cbe1b
SHA512

ca3733205d1606e6d981f89a6b312bfedc00e2195e947729108d0c0d32b75b6d9a7794e7a29663baee12d7a5e64c13ee588edf70274a9697081cbc6e7292b0dd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MV TBN CALL PORT FOR LOADING COAL_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHqFoFvd = "C:\\Users\\Admin\\AppData\\Roaming\\hFqxlHG\\afPZt.exe"	MV TBN CALL PORT FOR LOADING COAL_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

MV TBN CALL PORT FOR LOADING COAL_pdf.exe

description	pid	process	target process
PID 1124 wrote to memory of 1512	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1512	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1512	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1512	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
PID 1124 wrote to memory of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MV TBN CALL PORT FOR LOADING COAL_pdf.exeMV TBN CALL PORT FOR LOADING COAL_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Token: SeDebugPrivilege	1596	MV TBN CALL PORT FOR LOADING COAL_pdf.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MV TBN CALL PORT FOR LOADING COAL_pdf.exeMV TBN CALL PORT FOR LOADING COAL_pdf.exe

pid process

1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe
1596 MV TBN CALL PORT FOR LOADING COAL_pdf.exe
1596 MV TBN CALL PORT FOR LOADING COAL_pdf.exe

pid	process
1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
1596	MV TBN CALL PORT FOR LOADING COAL_pdf.exe
1596	MV TBN CALL PORT FOR LOADING COAL_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MV TBN CALL PORT FOR LOADING COAL_pdf.exe

description	pid	process	target process
PID 1124 set thread context of 1596	1124	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	MV TBN CALL PORT FOR LOADING COAL_pdf.exe

C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1124

C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe
"{path}"
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe
"{path}"
2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1596-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1596-3-0x000000000044A6FE-mapping.dmp

Download
memory/1596-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1596-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads